github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-06 10:43:56 +00:00
Code Issues Projects Releases Wiki Activity

cri-api: KEP-3857: Recursive Read-only (RRO) mounts

Browse Source 
This commit modifies the following files:

- `staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto`
- `staging/src/k8s.io/cri-api/pkg/errors/errors.go`

Other changes were auto-generated by running `make update`.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This commit is contained in:
Akihiro Suda 2024-02-08 02:48:45 +09:00
parent 5909bd2ddf
commit a834bd84b5
No known key found for this signature in database
GPG Key ID: 49524C6F9F638F1A
3 changed files with 1045 additions and 469 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1484
staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.pb.go
View File

File diff suppressed because it is too large Load Diff

27
staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto
View File

@ -235,6 +235,15 @@ message Mount {
repeated IDMapping uidMappings = 6;
// GidMappings specifies the runtime GID mappings for the mount.
repeated IDMapping gidMappings = 7;
// If set to true, the mount is made recursive read-only.
// In this CRI API, recursive_read_only is a plain true/false boolean, although its equivalent
// in the Kubernetes core API is a quaternary that can be nil, "Enabled", "IfPossible", or "Disabled".
// kubelet translates that quaternary value in the core API into a boolean in this CRI API.
// Remarks:
// - nil is just treated as false
// - when set to true, readonly must be explicitly set to true, and propagation must be PRIVATE (0).
// - (readonly == false && recursive_read_only == false) does not make the mount read-only.
bool recursive_read_only = 8;
}
// IDMapping describes host to container ID mappings for a pod sandbox.
@ -1528,6 +1537,22 @@ message StatusRequest {
bool verbose = 1;
}
message RuntimeHandlerFeatures {
// recursive_read_only_mounts is set to true if the runtime handler supports
// recursive read-only mounts.
// For runc-compatible runtimes, availability of this feature can be detected by checking whether
// the Linux kernel version is >= 5.12, and, `runc features | jq .mountOptions` contains "rro".
bool recursive_read_only_mounts = 1;
}
message RuntimeHandler {
// Name must be unique in StatusResponse.
// An empty string denotes the default handler.
string name = 1;
// Supported features.
RuntimeHandlerFeatures features = 2;
}
message StatusResponse {
// Status of the Runtime.
RuntimeStatus status = 1;
@ -1536,6 +1561,8 @@ message StatusResponse {
// debug, e.g. plugins used by the container runtime.
// It should only be returned non-empty when Verbose is true.
map<string, string> info = 2;
// Runtime handlers.
repeated RuntimeHandler runtime_handlers = 3;
}
message ImageFsInfoRequest {}

3
staging/src/k8s.io/cri-api/pkg/errors/errors.go
View File

@ -29,6 +29,9 @@ var (
// ErrSignatureValidationFailed - Unable to validate the image signature on the PullImage RPC call.
ErrSignatureValidationFailed = errors.New("SignatureValidationFailed")
// ErrRROUnsupported - Unable to enforce recursive readonly mounts
ErrRROUnsupported = errors.New("RROUnsupported")
)
// IsNotFound returns a boolean indicating whether the error